C0051: APT28 Nearest Neighbor Campaign
APT28 Nearest Neighbor Campaign was conducted by APT28 from early February 2022 to November 2024 against organizations and individuals with expertise on Ukraine. APT28 primarily leveraged living-off-the-land techniques, while leveraging the zero-day exploitation of CVE-2022-38028. Notably, APT28 leveraged Wi-Fi networks in close proximity to the intended target to gain initial access to the victim environment. By daisy-chaining multiple compromised organizations nearby the intended target, APT28 discovered dual-homed systems (with both a wired and wireless network connection) to enable Wi-Fi and use compromised credentials to connect to the victim network.[1]
Analyst context for executives and security teams
MITRE describes this campaign as APT28 activity from early February 2022 to November 2024 targeting organizations and individuals with expertise on Ukraine. Its business significance is the “nearest neighbor” access pattern: compromise or use nearby Wi-Fi environments and dual-homed systems to reach the intended victim, then rely heavily on legitimate Windows and network administration capabilities. For leaders, the key lesson is that perimeter, VPN, and endpoint visibility may not be enough if wireless networks, adjacent organizations, credentials, and dual-connected hosts are not included in risk and detection planning.
Executive priority
Prioritize this as an operational resilience and identity/network access governance issue, not only a malware problem. The campaign links initial access through Wi-Fi networks with credential access, RDP/SMB lateral movement, internal proxying, data staging, exfiltration over web services, firewall modification, and possible disk content wiping. Executives should ask whether wireless access, dual-homed devices, Windows administrative tooling, domain credential stores, and third-party/neighboring connectivity are covered by logging, segmentation, incident response playbooks, and audit evidence. CVE-2022-38028 is specifically referenced by MITRE, so vulnerability management should verify remediation status or documented compensating controls where relevant.
Technical view
ATT&CK provides no official detection text for this campaign, so SOC and IR validation should be built from the related techniques and software. Focus on Windows-heavy activity where supported by relationships: netsh, cipher.exe, PowerShell, Windows Command Shell, SAM and NTDS access, RDP, SMB/admin shares, Windows host firewall changes, and direct volume access. Also validate network-layer coverage for Wi-Fi discovery and Wi-Fi initial access, internal proxy behavior, exfiltration over web services, local data staging, archive creation, and disk content wipe indicators. A practical hunt path is to correlate unusual wireless association or configuration activity, dual-homed host behavior, credential access attempts, and subsequent RDP/SMB movement using valid credentials.
Likely telemetry
- Wireless controller/access point association, authentication, SSID, client, and roaming logs
- Endpoint process creation and command-line telemetry for netsh, cipher.exe, PowerShell, cmd, archive utilities, and firewall configuration changes
- Windows security logs and endpoint telemetry for RDP logons, SMB/admin share access, remote execution patterns, and account use anomalies
- Domain controller and Active Directory telemetry relevant to NTDS access, credential validation, and password spraying patterns
- Registry, file, and volume access telemetry relevant to SAM access, NTDS copies, direct volume access, staging directories, and archive creation
Detection direction
- Validate that wireless security monitoring is included in SOC workflows; this campaign’s access path can bypass assumptions that attacks originate only from the internet or VPN.
- Baseline and alert on dual-homed systems, especially hosts with both wired and wireless connectivity that can bridge access into sensitive networks.
- Tune detections for living-off-the-land behavior rather than only malware signatures: netsh, PowerShell, cmd, cipher.exe, Windows firewall changes, RDP, SMB, and archive utilities can all be legitimate in admin contexts.
- Correlate credential-access signals with lateral movement: SAM/NTDS access, password spraying, then RDP or SMB use from unusual systems or network segments should raise priority.
- Review egress monitoring for approved web services and encrypted traffic patterns; exfiltration over legitimate web services may not stand out in allow-list-based firewall rules.
Mitigation priorities
- Inventory and govern wireless networks, access points, and clients; ensure wireless access is segmented from sensitive wired resources unless explicitly required.
- Identify and reduce dual-homed host exposure; where dual connectivity is required, apply segmentation, monitoring, and documented exception handling.
- Strengthen credential controls for wireless access, RDP, SMB/admin shares, and privileged Windows administration; review password spraying resilience and account lockout/monitoring evidence.
- Restrict and monitor access to domain controllers, SAM/NTDS material, administrative shares, and remote desktop services according to least privilege.
- Verify remediation or compensating controls for CVE-2022-38028 where applicable to the environment.
Analyst notes and limits
This take is based on the ATT&CK campaign object, its official description, the Volexity external reference listed by MITRE, and the supplied relationships to APT28, software, and techniques. The strongest decision value is the convergence of wireless proximity, compromised nearby infrastructure, dual-homed systems, credential use, and legitimate administration tools. That combination can create blind spots between physical proximity risk, network engineering, IAM, endpoint detection, and SOC monitoring.
The campaign object has no ATT&CK platform or tactic fields directly specified and no official detection guidance. Platform and tactic discussion is inferred only from the supplied related techniques and software. This summary does not establish current activity, customer exposure, or detection coverage; organizations must validate against their own wireless architecture, Windows estate, identity logs, vulnerability status, and incident telemetry.
APT28 Nearest Neighbor Campaign
APT28 Nearest Neighbor Campaign was conducted by APT28 from early February 2022 to November 2024 against organizations and individuals with expertise on Ukraine. APT28 primarily leveraged living-off-the-land techniques, while leveraging the zero-day exploitation of CVE-2022-38028. Notably, APT28 leveraged Wi-Fi networks in close proximity to the intended target to gain initial access to the victim environment. By daisy-chaining multiple compromised organizations nearby the intended target, APT28 discovered dual-homed systems (with both a wired and wireless network connection) to enable Wi-Fi and use compromised credentials to connect to the victim network.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003.003 | NTDS Sub-technique | During APT28 Nearest Neighbor Campaign, APT28 dumped NTDS.dit through creating volume shadow copies via |
| Enterprise | T1567 | Exfiltration Over Web Service | During APT28 Nearest Neighbor Campaign, APT28 exfiltrated data over public-facing webservers – such as Google Drive.CitationNearest Neighbor Volexity |
| Enterprise | T1059.001 | PowerShell Sub-technique | During APT28 Nearest Neighbor Campaign, APT28 used PowerShell cmdlet |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | During APT28 Nearest Neighbor Campaign, APT28 used built-in PowerShell capabilities ( |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During APT28 Nearest Neighbor Campaign, APT28 used |
| Enterprise | T1686.003 | Windows Host Firewall Sub-technique | During APT28 Nearest Neighbor Campaign, APT28 added rules to a victim's Windows firewall to set up a series of port-forwards allowing traffic to target systems.CitationNearest Neighbor Volexity |
| Enterprise | T1110.003 | Password Spraying Sub-technique | During APT28 Nearest Neighbor Campaign, APT28 performed password-spray attacks against public facing services to validate credentials.CitationNearest Neighbor Volexity |
| Enterprise | T1016.002 | Wi-Fi Discovery Sub-technique | During APT28 Nearest Neighbor Campaign, APT28 collected information on wireless interfaces within range of a compromised system.CitationNearest Neighbor Volexity |
| Enterprise | T1669 | Wi-Fi Networks | During APT28 Nearest Neighbor Campaign, APT28 established wireless connections to secure, enterprise Wi-Fi networks belonging to a target organization for initial access into the environment.CitationNearest Neighbor Volexity |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | During APT28 Nearest Neighbor Campaign, APT28 unarchived data using the GUI version of WinRAR.CitationNearest Neighbor Volexity |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | During APT28 Nearest Neighbor Campaign, APT28 staged captured credential information in the |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | During APT28 Nearest Neighbor Campaign, APT28 used RDP for lateral movement.CitationNearest Neighbor Volexity |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | During APT28 Nearest Neighbor Campaign, APT28 used the following commands to dump SAM, SYSTEM, and SECURITY hives: |
| Enterprise | T1561.001 | Disk Content Wipe Sub-technique | During APT28 Nearest Neighbor Campaign, APT28 used the native Microsoft utility cipher.exe to securely wipe files and folders – overwriting the deleted data using |
| Enterprise | T1584 | Compromise Infrastructure | During APT28 Nearest Neighbor Campaign, APT28 compromised third-party infrastructure in physical proximity to targets of interest for follow-on activities.CitationNearest Neighbor Volexity |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | During APT28 Nearest Neighbor Campaign, APT28 leveraged SMB to transfer files and move laterally.CitationNearest Neighbor Volexity |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | During APT28 Nearest Neighbor Campaign, APT28 used the built-in |
| Enterprise | T1006 | Direct Volume Access | During APT28 Nearest Neighbor Campaign, APT28 accessed volume shadow copies through executing |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
S0108: netsh
S1205: cipher.exe
cipher.exe is a native Microsoft utility that manages encryption of directories and files on NTFS (New Technology File System) partitions by using the Encrypting File System (EFS).[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f5feeeb5bdf5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Nearest Neighbor Volexity
Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
Open source URL -
[2]
mitre-attack C0051Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.